*
* Functions needed to display the options pages.
*
- * @copyright © 1999-2007 The SquirrelMail Project Team
+ * @copyright 1999-2011 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
//TODO: might be better to have a separate template file for all widgets, because then the layout of the widget and the "trailing text" can be customized - they are still hard coded here
if ($password)
-addPwField($sName, $sValue = null, $aAttribs=array()) {
return addPwField('new_' . $this->name, $this->value, $width, 0, $this->aExtraAttribs) . ' ' . htmlspecialchars($this->trailing_text);
else
return addInput('new_' . $this->name, $this->value, $width, 0, $this->aExtraAttribs) . ' ' . htmlspecialchars($this->trailing_text);
return;
}
+ // if the widget is a selection list, make sure the new
+ // value is actually in the selection list and is not an
+ // injection attack
+ //
+ if ($option->type == SMOPT_TYPE_STRLIST
+ && !array_key_exists($option->new_value, $option->possible_values))
+ return;
+
+
+ // all other widgets except TEXTAREAs should never be allowed to have newlines
+ //
+ else if ($option->type != SMOPT_TYPE_TEXTAREA)
+ $option->new_value = str_replace(array("\r", "\n"), '', $option->new_value);
+
+
global $data_dir;
// edit lists: first add new elements to list, then
&& empty($option->new_value))
setPref($data_dir, $username, $option->name, SMPREF_OFF);
+ // For integer fields, make sure we only have digits...
+ // We'll be nice and instead of just converting to an integer,
+ // we'll physically remove each non-digit in the string.
+ //
+ else if ($option->type == SMOPT_TYPE_INTEGER) {
+ $option->new_value = preg_replace('/[^0-9]/', '', $option->new_value);
+ setPref($data_dir, $username, $option->name, $option->new_value);
+ }
+
else
setPref($data_dir, $username, $option->name, $option->new_value);
projects / squirrelmail.git / blobdiff